Verizon has just released the 2014 security breach report, which analyzes the security breaches and attacks form 2013. They found 198 total instances that they worked on with all 198 having confirmed data disclosed.
The common method of attack is to install malware on POS systems and collect magnetic strip data that is in process, retrieve the data and then cash in. Most of this type of compromise is based on criminal groups that are operating out of Eastern Europe and they are very good at what they do.
While most small businesses think they are not a target, that is not true, they are a very lucrative target. It will start with a compromise of the POS device with little legwork. The POS device is connected to the entire Internet without restriction and with weak or default passwords (sometimes no passwords).
The attacker will scan the Internet for open remote-access ports and if it identifies a point of sale device, it issues a script with credentials to brute-force to gain access to the device. If they gain access, they then install malware to collect and export payment card information.
Interesting enough, they are using what is called a RAM scraper malware to grab payment card data while it is in memory. Why? The payment card information in memory is typically unencrypted. Payment card information traveling across the network is typically encrypted when it is stored on the hard drive or in transit across the network.
The scary thing is that the breaches are not discovered until the criminals begin using the data they have stolen for fraud and other purposes.
These are some recommend security controls.
Restrict Remote Access
Limit remote access to your POS systems to only your third party management vendor and have a discussion on how and when they will be doing their duties. Consider only enabling remote access when the vendor needs and requests it.
Enforce Password Polices
Make sure that all passwords used for remote access to POS systems are not factory defaults, the name of the POS vendor or dictionary words and otherwise weak passwords. If this is outsourced, require and verify that this is completed and they do not use the same password for other customers.
Do Not Use the POS system for WEB Browsing
Disabled browsing the Internet from POS systems. They should only be used for POS transactions. Any modern firewall can help with this.
Install and maintain anti-virus software on POS systems. This is important to catch know threats and to help keep the machine secure.
If you are a Large or Multi-store Company
Segment the POS network.
You should really separate the POS network from the corporate network. You should also restrict what goes into and out of this network. You should also review connections between stores. Store POS networks typically do not need to communicate with each other.
Monitor and look for suspicious network activity
Monitor network traffic to and from the POS network. If you do enough monitoring, you should be able to tell what a normal traffic pattern is and if something looks like it is not normal, then it must be identified and investigated.
Utilize two-factor authentication
Using strong passwords on machines would cut out a large part of the issue with the POS system becoming compromised. If you use two-factor authentication for third parties and internal users, the compromise becomes very difficult and almost impossible.
This advice above was obtained from the Verizon security breach report. It is very simple advice. Most of this advice should just be part of everyone’s network security program. You should really have anti-virus on all systems and have it update every hour. You should also have a firewall that restricts incoming access and outgoing access. Most modern firewall’s have intrusion detection and threat prevention. These items should be enabled.
You should also have a strong password policy enabled on all systems and have vendors use strong passwords. You should have at least eight characters with a capital letter, a number and a special character. You should also require a password change every 90 days.
Finally, web browsing from machines that do financial transactions is not a good idea. You should restrict web access (deny all and only allow what is necessary).
This simple advice will help keep you secure and out of the newspaper headlines.
The Verizon security breach report can be found here